The Human Factor of Corporate Spying

Anyone can be recruitedâknowingly or notâto spy against his or her own interests, so companies must pay as much attention to the human elements of computer security as they do to the technical factors.

Every few days, Richard would seek out Sally, a twentysomething salesclerk at a retail outlet of a telecommunications conglomerate. When they first met, Richard, who's in his early 30s, said he was the manager in charge of buying telecom equipment for a fast-growing startup, and he did, in fact, make a purchase on each visit.

Richard and Sally became friendly, and after a month, he took her out to lunch and confessed, "You're a nice girl, but I'm not interested in you as a friend. I'm on a secret mission from the CEO of your company, and we need your help."

He explained that a midlevel manager had been stealing trade secrets from the company, and they needed Sally's help to replicate the methods they thought the manager was using. Sally had access to a PC that was connected to the corporate network, and Richard told her how to retrieve confidential files. He swore her to secrecy, telling her that only the CEO, a vice president, Richard and now Sally knew of this operation.

What Richard didn't tell Sally was that this was all a lie: He actually worked for her company's rival. Unwittingly, Sally became a corporate spy for the competition and began dutifully relaying files to a secret e-mail account.

A few weeks later, Richard told Sally that the vice president wanted to meet her at a restaurant. When they arrived, Sally saw the executive sitting at a table across the room with a man she didn't recognize. Richard walked over to their table and, out of Sally's earshot, began chatting with the companion. Unbeknownst to the VP, the man was an agent who was working with Richard and had arranged to meet the VP at the restaurant.

Richard soon returned to Sally and told her the VP had had second thoughts about meeting in public for fear it could jeopardize the operation. He said the VP wanted to recognize her cooperation, so Richard asked Sally to glance over at the VP. When Sally turned toward the executive, she could no longer see Richard, who then waved to the VP. The executive waved back, and Sally assumed that he was acknowledging her.

Weeks passed, and Richard gave Sally a $15,000 bonus as part of the "anti-fraud team." Months later, he gave her a $30,000 bonus. She was hooked and would do anything Richard asked.

Eventually, Richard told Sally the truth. Though shocked and dismayed, she was too deep into the scheme to back out.

Sally's and Richard's names are fictional, but this tale is based on a true incident, relayed by Arik Friman, CEO of the counterintelligence firm DMOS and recently retired from the Israeli intelligence community.

Friman's point: Nearly anyone can be recruited--knowingly or not--to spy against his or her own interests, so companies must pay as much attention to the human elements of corporate computer security as they do to the technical factors.